Method and apparatus for solving sequential constraints

ABSTRACT

Relates to automatic conversion of assumption constraints, used in circuit design verification, that model an environment for testing a DUT/DUV, where the assumptions specify sequential behavior. Such assumptions are converted, with the use of logic synthesis tools, into a gate-level representation. For formal verification, a verification output is constructed from the gate-level representation and DUT/DUV assertion-monitoring circuitry. A formal verifier seeks to prove the verification output cannot indicate a design error. For simulation verification, the gate-level representation is converted into a hybrid representation comprising pipelines and combinational constraints. During simulation, the pipelines hold state information necessary for a solution, of the combinational constraints, to be in accord with the sequential assumption constraints. For certain sequential assumption constraints, the combinational constraints are insufficient to insure avoidance of deadend states. In a deadend state, an assumption is violated. A method is presented for augmenting the combinational constraints to avoid deadend states.

FIELD OF THE INVENTION

The present invention relates generally to the solution of sets ofconstraints, and more particularly to the solution of sets ofconstraints containing at least one sequential constraint, in connectionwith design verification.

BACKGROUND OF THE INVENTION

To tackle the increasing complexity of integrated digital electroniccircuits, designers need faster and more accurate methods for verifyingthe functionality and timing of such circuits, particularly in light ofthe need for ever-shrinking product development times.

The complexity of designing such circuits is often handled by expressingthe design in a high-level hardware description language (HLHDL). TheHLHDL description is then converted into a physical circuitspecification through processes, well known to those of ordinary skillin the art as “synthesis,” involving translation and optimization.Examples of an HLHDL are:

-   -   1. IEEE Standard 1364-2001, for the Verilog Hardware Description        Language. The Institute of Electrical and Electronics Engineers,        Inc., 345 East 47^(th) Street, New York, N.Y. 10017-2394, USA.    -   2. IEEE Standard 1076-1993, for the VHDL Hardware Description        Language. ISBN: 1559373768, August 1994. The Institute of        Electrical and Electronics Engineers, Inc., 345 East 47^(th)        Street, New York, N.Y. 10017-2394, USA.

Once the HLHDL design has been created, it needs to be verified, andsuch HLHDL design can be referred to as the design under test or thedesign under verification (referred to herein as a “DUT/DUV”).

An HLHDL description can be verified by simulation at the HLHDL level.In another approach, the HLHDL can be translated into a gate-leveldescription that is then simulated, proven by formal methods or issubject to a hybrid combination of simulation and formal approaches.

Verification of an HLHDL description at relatively high-levels of designabstraction is important since detecting a circuit problem earlyprevents the expenditure of valuable designer time on achieving anefficient physical implementation for a design which, at a higher level,will not achieve its intended purpose. In addition, simulation of theDUT/DUV can be accomplished much more quickly at higher levels ofrepresentation than after the DUT/DUV has been translated into alower-level, more circuit-oriented implementation. For the formalapproach, combinatorial “explosion” is a major problem and thereforeapplying such methods to higher abstraction levels tends to allow themto address a larger portion of the DUT/DUV.

The verification of HLHDL descriptions has been aided by HardwareVerification Languages (or HVLs). An HVL can be implemented andsupported by a test-bench automation (TBA) tool. Among other goals, HVLscan provide programming constructs and capabilities more closely matchedto the task of verification of a DUT/DUV than are, for example, theHLHDL of the DUT/DUV itself or software-oriented programming languages(such as C or C++).

HVLs can include a programming mechanism by which to specify declarativeconstraints on a set of variables. Such declarative constraints can beeasier to specify than a procedural approach. Uses of declarativeconstraints can include the following:

-   -   i) declaration of “assertions” that specify properties the        DUT/DUV must exhibit in order to be regarded as operating        correctly; and    -   ii) declaration of “assumptions” that specify properties the        environment of the DUT/DUV must exhibit.

A DUT/DUV is typically designed such that correct operation is onlyassured if its environment satisfies a certain set of assumptions thathave been input to the verification system as a model of theenvironment.

In the context of simulation-based verification, an environment thatoperates according to a set of assumption constraints can be achieved bysolving the assumption constraints during the simulation process. Inthis case, terms of the assumption constraints whose values can bechanged (i.e., are under the control of the environment), to find asolution to the environment's assumption constraints during a particularsimulation cycle, are referred to as random variables (or RV's). Termsof the assumption constraints not under control of the environment(e.g., driven by the DUT/DUV) are referred to as state variables (orSV's).

In the context of formal verification, the objective is to exhaustivelyprove, provided the assumption constraints are not violated, thatassertions about the DUT/DUV cannot be violated.

It is known how to automatically implement a verification environment,for testing a DUT/DUV, from declarative combinational assumptionconstraints (or simply “combinational assumption constraints”).

However, combinational assumption constraints cannot specify atime-ordered behavior for an environment since combinational constraintsspecify assignment of values solely as a functional (or memory less)response to a current state of the various types of inputs that may beapplied to it.

It is also known how to automatically implement declarativecombinational or sequential assertion constraints. For verification byeither formal methods or simulation, such combinational or sequentialconstraints can be converted, by logic synthesis tools, into anadditional circuit, referred to as a “monitor,” that is connected to theDUT/DUV and that asserts an “assertion error” output if an assertion isviolated.

It would be desirable to be able to automatically implement averification environment, for testing a DUT/DUV, from an input set ofassumptions that includes declarative sequential assumption constraints(or simply “sequential assumption constraints”).

SUMMARY OF THE INVENTION

1. Summary of Conversion of Sequential Constraints

The present invention comprises techniques for automatically convertinga set of assumption constraints, that includes sequential assumptionconstraints, into a representation of an environment that tests aDUT/DUV.

Such sequential assumption constraints can be specified in a propertylanguage. While the process description herein is focused on theconversion of the sequential constraints, of an input set of assumptionconstraints that model an environment, it should be understood that theinput set of assumption constraints can include combinational assumptionconstraints.

Below is described a process for automatic conversion of sequentialassumption constraints, into a representation of an environment thattests a DUT/DUV, in terms of a first step and a second step.

1.1 Summary of First Step

In a first step, the sequential assumption constraints are converted,with the use of logic synthesis tools, into a gate-level representationthat could serve as a monitor of the environment. This gate-levelrepresentation for the sequential assumption constraints (referred toherein as the “gate-level assumption representation”) can include thefollowing:

i) register pipelines (referred to herein as “assumption pipelines”)that model the time-dependent properties of the sequential constraintsto be converted; and

ii) combinational gates (referred to herein as “assumption gates”) thatdrive an output (referred to herein as an “assumption error output”)indicating that an error in the assumptions has occurred.

Combinational assumption constraints, if included within an input set ofassumption constraints for modeling an environment, just require theassumption gates aspect of the gate-level assumption representation.

Two logic synthesis tools can be used to produce the gate-levelassumption representation:

-   -   i) A “sequential-constraints-to-HLDL compiler,” that converts a        language with sequential declarative constraints into a monitor        in an HLHDL. When such compiler encounters a sequential delay        operator, it implements the sequential delay, in its output        HLHDL, by producing a pipeline structure.    -   ii) An “HLDL-to-gate-level compiler,” that converts an HLHDL        into a gate level representation.

Once the DUT/DUV, assumptions and assertions are expressed in a commongate-level representation, such gate-level representations can becombined, for either simulation or formal methods, by a Gate-LevelMerger process into a combined gate-level representation.

While the present description focuses upon all of the DUT/DUV,assumptions and assertions being converted into a gate-levelrepresentation, alternative approaches can be used. For example, theDUT/DUV can be simulated at the HLHDL (also referred to as RTL) level.

Furthermore, while the present description focuses upon a gate-levelrepresentation where the gates are single-bit operators, gate-levelrepresentations, where the gates comprise word-level operators, can beused.

1.2 Summary of Second Step

Upon completion of the first step, the conversion process can continuein one of two ways depending upon whether verification by formalmethods, or by simulation, is desired.

For formal verification, a single “formal-verification-output” isconstructed, that combines the assumption-error-detecting gate-levelassumption representation produced in the first step withassertion-monitoring circuitry for the DUT/DUV. The entire combination,of DUT/DUV, assertion monitor, assumption monitor (environment) andcircuitry that produces the formal-verification-output, is input to aformal verifier. Depending upon the construction of the circuitry thatproduces the formal-verification-output, the goal of the verifier iseither to prove the formal-verification-output can never be Logic One(also referred to as a “true” value), or can never be Logic Zero (alsoreferred to as a “false” value).

If it is desired to produce a formal-verification-output where the goalis to prove that it can never be Logic One, suchformal-verification-output can be constructed such that it is Logic Oneif and only if an assertion is violated by the DUT/DUV (e.g., “assertionerror” becomes Logic One) and it is not the case that the assumptionconstraints have ever been violated (e.g., “assumption error” is alwaysLogic Zero). Assuring that assumption constraints have never beenviolated can be modeled by feeding assumption error through arecirculating latch circuit before it is ANDed with assertion error.

A variety of formal verifiers can be used.

If the gate-level assumption representation of the first step is to beused to generate test data for driving the DUT/DUV, in a simulationverification approach, the second step is to convert such gate-levelassumption representation into a hybrid assumption representation thatcomprises:

-   -   i) the assumption pipelines as simulated circuit elements; and    -   ii) combinational constraints, referred to herein as “equivalent        combinational assumption constraints,” whose solution by a        conventional combinational constraint solver produces an output        behavior for the environment that is in accord with the        sequential assumption constraints.

During simulation, the assumption pipelines are simulated such that theyhold, at any point in the simulation, state information necessary for asolution of the equivalent combinational assumption constraints to be inaccord with the sequential assumption constraints. Also, duringsimulation, the equivalent combinational assumption constraints aresolved and such solutions provide data, for driving inputs to theDUT/DUV, that is in accordance with the specified sequential assumptionconstraints.

Combinational assumption constraints, if included within an input set ofassumption constraints for modeling an environment, can be implementedwith just the equivalent combinational assumption constraints aspect ofthe hybrid assumption representation.

The equivalent combinational assumption constraints are formed from aset of gates, referred to herein as the “augmented assumption gates.”The augmented assumption gates can be extracted by beginning at theassumption error output and finding a transitive fanin, where such faninstops under either of two conditions: reaching a register output,reaching an input to the DUT/DUV. The transitive fanin does not stopupon reaching an output of the DUT/DUV and, therefore, such fanincontinues until a register output, within the DUT/DUV, is reached. It isthe fact that the transitive fanin does not stop at a DUT/DUV outputthat can cause the augmented assumption gates to contain additionalgates in comparison to the assumption gates.

The augmented assumption gates can be translated into equivalentcombinational assumption constraints, expressed in a symbolic form, asfollows: each gate's functionality is replaced by an appropriate logicaloperator; an input to a gate, from an output of a register within theDUT/DUV, is replaced by a state variable whose value is determined bythe value of its corresponding register output; and an input to a gate,connected to an input of the DUT/DUV, is converted into a randomvariable.

Another approach can be to translate the augmented assumption gates intoa BDD by any one of several known methods. As with translation tosymbolic form, an input to the BDD is a state variable where an input toa gate is connected to an output of a register within the DUT/DUV and aninput to the BDD is an RV where an input to a gate is connected to aninput of the DUT/DUV. Such BDD can then be input to a BDD constraintsolver. If such BDD constraint solver seeks solutions where all of itsBDD constraints are true, the BDD result of translating the augmentedassumption gates may be input to the constraint solver in complementedform.

Solving such equivalent combinational assumption constraints, in thecourse of a simulation, causes values to be assigned to their randomvariables that conform with the time-sequence-dependent rules of theinput sequential assumption constraints.

2. Summary of Conversion With Deadend Avoidance

For certain sets of sequential assumption constraints, the equivalentcombinational assumption constraints determined for them, as describedabove, are not sufficient to insure the random variables are alwaysassigned with values that conform with the time-sequence-dependentnature of the sequential assumption constraints.

A state of the environment, in which at least one of the inputassumption constraints that model the environment is violated, isreferred to herein as a “deadend” state.

Presented herein is a method for identifying deadend states and foraugmenting the equivalent combinational assumption constraint set suchthat transitions into deadend states are avoided. In the followingpresentation, the same symbol is used to denote both a set and itsBoolean characteristic function.

2.1 Summary of Fail Function

A “fail function” F(ŝ,{circumflex over (x)}) is determined, from theassumption gates, where ŝ is a state of the assumption pipeline and{circumflex over (x)} is the set of all inputs to the gate-levelassumption representation. F(ŝ,{circumflex over (x)}) returns a LogicOne if and only if the input ŝ and {circumflex over (x)} would producean invalid transition.

2.2 Summary of Deadend States Set

The set of deadend states, D₀, can be expressed in terms ofF(ŝ,{circumflex over (x)}) as follows:D ₀ ={ŝ|∀ _({circumflex over (x)}) F(ŝ,{circumflex over (x)})=1}

Thus, deadend states are those states that, for all possible inputcombinations, have no legal transitions. Since {circumflex over (x)} isuniversally quantified out of F(ŝ,{circumflex over (x)}), D₀ is solelyin terms of ŝ. Therefore, the corresponding Boolean characteristicfunction D₀(ŝ), of the set D₀, returns Logic One only when given adeadend state as an argument.

2.3 Summary of Augmented Deadend States Set

This section discusses production of an augmented deadend states set. Ifthe DUT/DUV has a signal that drives the environment, and is thereforenot under the environment's control, it may be desirable to determine astrongly augmented deadend states set. Determination of such stronglyaugmented deadend states set is discussed further below. Regardless ofwhether an augmented or strongly augmented deadend states set isdetermined, the remaining steps for deadend state avoidance are thesame.

Augmenting D₀ means adding to it all those states that, while having atleast one valid transition, lead inexorably to a deadend state. Thisset, referred to as D(ŝ), can be determined as a stepwise, backward,fixed-point determination. The term “fixed-point determination,” as usedherein, is also known as a “fixed-point computation” or “fixpointcomputation.” In mathematical set notation, the fixed-pointdetermination can be expressed as follows:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∀ _({circumflex over (x)})∃_(ŝ′)N(ŝ,{circumflex over (x)},ŝ′)==1&&(D _(k)(ŝ)|_(ŝ→ŝ′))==1}

Where N(ŝ,{circumflex over (x)},ŝ′) is a characteristic function, of astate transition relation, that is defined to return Logic One when, fora particular assumption environment, a present state of ŝ and an inputof {circumflex over (x)} leads to a next state of ŝ′.

N(ŝ,{circumflex over (x)},ŝ′) can be formed as follows from a particulargate-level assumption representation. For each register bit of ŝ′, thelogic gate network of its transitive fanin, terminating at a registerbit-line of ŝ or an input bit-line of {circumflex over (x)}, isdetermined. The logic network is converted into an equivalent Booleanlogic expression that is then equated with the register bit of ŝ′. Forall bits in ŝ′, the equations are ANDed together to form N(ŝ,{circumflexover (x)},ŝ′).

The above formula can be used with D_(k)(ŝ) initially set to D₀, and isiteratively applied as long as the value for a D_(k+1)(ŝ) is not equalto the value for a D_(k)(ŝ).

2.4 Summary of Reachable States Set

While the above procedure results in a set D(ŝ) containing all statesthat are either deadend states, or that lead inevitably to deadendstates, some of the states in D(ŝ) may not be reachable from the initialstates of the environment. With R₀(ŝ) defined as the set of initialstates of the environment, we define a set R_(k+1)(ŝ) to be the set ofall states reachable in one transition from R_(k)(ŝ) and R(ŝ) to be theset of all states reachable from R₀(ŝ). R₀(ŝ) is defined as the set ofinitial states of the environment monitor, that can be, for example, thestate in which all registers of the monitor contain zero.

R(ŝ) can be determined as a stepwise, forward, fixed-pointdetermination. In mathematical set notation, this fixed-pointdetermination can be expressed as follows:R _(k+1)(ŝ)=R _(k)(ŝ)∪{ŝ|(∃_({circumflex over (x)})∃_(ŝ) N(ŝ,{circumflexover (x)},ŝ′)==1&&R _(k)(ŝ)==1)|_(ŝ→ŝ)}

As can be seen above, the right-hand-side expression to the unionoperator provides a state ŝ′ for extending R_(k)(ŝ) if there exists aninput {circumflex over (x)} and a state ŝ, where ŝ is a member ofR_(k)(ŝ), such that ŝ, {circumflex over (x)} and ŝ′ are a validtransition.

The above formula can be used with R_(k)(ŝ) initially set to R₀(ŝ), andis iteratively applied as long as the value for a R_(k+1)(ŝ) is notequal to the value for a R_(k)(ŝ).

2.5 Summary of Reachable Deadend States Set

The set of reachable deadend states, referred to as RD(ŝ), is theintersection of the sets R(ŝ) and D(ŝ).

2.6 Summary of Fail Function Augmented for Deadend Avoidance

An augmented fail function “F” with deadend avoidance, referred to asF^(da), can be determined from the above determined relationN(ŝ,{circumflex over (x)},ŝ′) and set RD(ŝ). Determination of F^(da) canbe described as follows:F ^(da)(ŝ,{circumflex over (x)})=∃_(ŝ′) {N(ŝ,{circumflex over(x)},ŝ′)==1&&(RD(ŝ)|_(ŝ→ŝ′))==1}

F^(da)(ŝ,{circumflex over (x)}) contains the set of present state andinput pairs such that there exists a next state, but the next state iseither a deadend state or leads inexorably to a deadend state.

2.7 Summary of Augmented Equivalent Combinational Assumption Constraints

F^(da)(ŝ,{circumflex over (x)}) can be used to form the followingconstraint, that augments the equivalent combinational assumptionconstraints:F ^(da)(ŝ,{circumflex over (x)})==0

Depending upon the constraint solver, an alternate format, for theconstraint that augments the equivalent combinational assumptionconstraints, is as follows. The objective, with the following format, isto find solutions that make the expression return a Logic One:!F ^(da)(ŝ,{circumflex over (x)})3. Summary of Conversion With Strong Deadend Avoidance

The above method for deadend avoidance is sufficient if the environmentreceives no inputs from the DUT/DUV. However, if the environment issubject to variables not under its control, stronger deadend avoidanceconstraints may be needed.

In this case, the deadend avoidance method of above can have itsaugmented deadend states set determined as follows:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∃ _(xout)∀_(xin)∃_(ŝ′) N(ŝ,xout,xin,ŝ′)==1&&(D_(k)(ŝ)|_(ŝ→ŝ′))==1}

Where N(ŝ,xout,xin,ŝ′) differs from N(ŝ,{circumflex over (x)},ŝ′) bysplitting the {circumflex over (x)} into two parts: “xout,” which areoutputs of the DUT/DUV; and “xin” which are inputs to the DUT/DUV. Thedistinction is significant since the “xin” signals are under directcontrol of the environment while the “xout” signals are not. The aboveequation is stating that even if there is only one combination of “xout”signals that would cause a transition to a state already a member of aD_(k)(ŝ), the ŝ should be included in D_(k+1)(ŝ).

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, that are incorporated in and constitute apart of this specification, illustrate several embodiments of theinvention and, together with the description, serve to explain theprinciples of the invention:

FIG. 1 depicts a first example verification system, comprising acombination of a DUT/DUV and environment, to illustrate production of agate-level assumption representation;

FIG. 2 depicts an example gate-level assumption representation for amonitor of the environment of FIG. 1;

FIG. 3 depicts the first example verification system of FIG. 1, to whichhas been added the environment monitor of FIG. 2 along with an assertionmonitor for the DUT/DUV;

FIG. 4 depicts the combination of the assertion monitor and assumptionmonitor of FIG. 3 for purposes of formal verification;

FIG. 5 depicts a second example verification system, comprising acombination of a DUT/DUV and environment, to illustrate deadend stateavoidance;

FIG. 6 depicts the second example verification system of FIG. 5, towhich has been added an example gate-level assumption representation fora monitor of the environment of FIG. 5;

FIGS. 7A–7B depict processes for conversion of sequential assumptionconstraints for purposes of DUT/DUV verification;

FIG. 8 depicts an overall verification process that includes theconversion of sequential assumption constraints for purposes of DUT/DUVverification; and

FIG. 9 shows a computing hardware environment within which to operatethe present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Reference will now be made in detail to preferred embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings. Wherever possible, the same reference numbers will be usedthroughout the drawings to refer to the same or like parts.

This specification contains pseudo-code to illustrate severalembodiments of the invention and to explain its principles. Thepseudo-code is loosely based upon the C and C++ programming languages.The C and C++ programming languages are described in such texts as “TheC Programming Language”, by B. W. Kernighan and D. M. Ritchie, PrenticeHall, Inc., 1988, ISBN 0-13-110362-8 (paperback), 0-13-110370-9(hardback) and “The C++ Programming Language,” by Bjarne Stroustrup,Addison-Wesley Pub. Co., 3rd edition, July 1997, ISBN 0-2018-8954-4,which are herein incorporated by reference.

Table of Contents to Detailed Description

-   1. Conversion of Sequential Constraints    -   1.1 First Step    -   1.2 Second Step        -   1.2.1 Formal Verification        -   1.2.2 Simulation Verification-   2. Conversion With Deadend Avoidance    -   2.1 Fail Function    -   2.2 Deadend States Set    -   2.3 Augmented Deadend States Set    -   2.4 Reachable States Set    -   2.5 Reachable Deadend States Set    -   2.6 Fail Function Augmented for Deadend Avoidance    -   2.7 Augmented Equivalent Combinational Assumption Constraints-   3. Conversion With Strong Deadend Avoidance-   4. Symbolic Example of Deadend State Avoidance    -   4.1 Fail Function    -   4.2 Deadend States Set    -   4.3 Augmented Deadend States Set    -   4.4 Reachable States Set    -   4.5 Reachable Deadend States Set    -   4.6 Fail Function Augmented for Deadend Avoidance    -   4.7 Augmented Equivalent Combinational Assumption Constraints-   5. Symbolic Example of Strong Deadend State Avoidance-   6. Hardware Environment    1. Conversion of Sequential Constraints

The present invention comprises techniques for automatically convertingsequential assumption constraints into a representation of anenvironment that tests a DUT/DUV. While the process description hereinis focused on the conversion of the sequential constraints, of an inputset of assumption constraints that model an environment, it should beunderstood that the input set of assumption constraints can includecombinational assumption constraints.

Sequential assumption constraints can be specified in a propertylanguage, such as:

-   -   i) Open Vera Assertion language (or OVA), Synopsys, Inc.,        Mountain View, Calif., USA;    -   ii) PSL (see Y. Abarbanel, I. Beer, L. Gluhovsky, S. Keidar, Y.        Wolfsthal. “FoCs—Automatic generation of simulation checkers        from formal specifications,” In Proceedings of CAV, 2000); and    -   iii) SVA (see SystemVerilog 3.1, Accellera's Extensions to        Verilog, June 2003).

The present invention operates as follows and will be explicated withthe assistance of a first example verification system as shown in FIG.1.

FIG. 1 depicts a block called “PCI Slave” (which is, for purposes ofthis example, the DUT/DUV) and another block called “PCI master” (whichis, for purposes of this example, the environment).

An informal, sequential assumption constraint oriented, description ofthe operation of the environment of FIG. 1 is as follows: if the DUT/DUVasserts the “req” line of the environment on one clock cycle, and theDUT/DUV asserts the “valid” line of environment one clock cycle later,then, two clock cycles after “req” was initially asserted, theenvironment should assert “grant” line.

Such a sequential assumption constraint can be expressed in OVA asfollows:

-   -   event e1: req==1 #1 valid==1;    -   event e2: if (ended e1) then #1 (grant==1);    -   assume a: check(e2);

Sequential delay can be represented in OVA by the “#” sequential delayoperator, and such operator is used in the above OVA example. An OVAevent detects sequential conditions, and the ended operator detects theoccurrence of an event. In the above OVA example, the event e2 specifiesthe sequential assumption constraint.

Below is described a process for automatic conversion of sequentialassumption constraints, into a representation of an environment thattests a DUT/DUV, in terms of a first step and a second step. Such firststep and second step are also depicted in FIG. 7A.

An overall view of the preparation of a circuit model for theverification process, that includes processing of the DUT/DUV, as wellas of the assertions, is shown in FIG. 8. FIG. 8 comprises boxesrepresenting data representations produced and/or utilized at varioussteps in a process, with such boxes connected by arrows representingprocesses that utilize and produce data representations. FIG. 8 isdivided into upper and lower halves by a dashed line 850. The portionabove dashed line 850 (whose components are numbered in the range 800 to824) corresponds to the first step, while the portion below the dashedline 850 (whose components are numbered in the range 830 to 840)corresponds to the second step.

1.1 First Step

In a first step (see step 700 of FIG. 7A), the sequential assumptionconstraints are converted, with the use of logic synthesis tools, into agate-level representation that could serve as a monitor of theenvironment. This gate-level representation for the sequentialassumption constraints (referred to herein as the “gate-level assumptionrepresentation”) can include the following:

i) register pipelines (referred to herein as “assumption pipelines”)that model the time-dependent properties of the sequential constraintsto be converted; and

ii) combinational gates (referred to herein as “assumption gates”) thatdrive an output (referred to herein as an “assumption error output”)indicating that an error in the assumptions has occurred. The assumptiongates can be dependent on any combination of the following: state bitsof the assumption pipelines, inputs to the DUT/DUV, outputs of theDUT/DUV, inputs to the environment, outputs of the environment.

The assumption gates can be identified by beginning at the assumptionerror output and finding a transitive fanin, where such fanin stopsunder any of three conditions: reaching a register output of theassumption pipelines, reaching an input to the DUT/DUV, or reaching anoutput of the DUT/DUV.

Combinational assumption constraints, if included within an input set ofassumption constraints for modeling an environment, just require theassumption gates aspect of the gate-level assumption representation.

In the case of constraints written in OVA, two logic synthesis tools canbe used to produce the gate-level assumption representation: OVACompiler of Synopsys, Inc. and Design Compiler of Synopsys, Inc. Moregenerally, two logic synthesis tools for performing the first step are:

-   -   i) A “sequential-constraints-to-HLDL compiler,” that converts a        language with sequential declarative constraints into a monitor        in a High-Level Hardware Design Language (HLHDL), such as        Verilog or VHDL. When such compiler encounters a sequential        delay operator, it implements the sequential delay, in its        output HLHDL, by producing a pipeline structure.    -   ii) An “HLDL-to-gate-level compiler,” that converts an HLHDL        into a gate level representation. The compiler utilized need not        include some or all of the optimization procedures, typically        associated with HLHDL to gate-level compilers, since sub-optimal        logic designs, with respect to a circuit implementation, can        still be suitable for the automatic conversion of sequential        constraints for purposes of design verification. An advantage of        not utilizing such optimization procedures, when an        HLDL-to-gate-level compiler is utilized for automatic conversion        of sequential constraints, is a greater speed of conversion.

In the case of OVA constraints, they can be converted, by OVA Compiler,into Verilog or VHDL. For the OVA statement, of the first exampleverification system, an example conversion into Verilog is as follows:

assign err <= valid_pre_req && !grant; always @(posedge clk or posedgereset) begin    /* the non-blocking assignment operators, “<=,” of a   begin-end block execute simultaneously */      If(reset) begin        pre_req <= 0;         valid_pre_req <= 0;      end      elsebegin         pre_req <= req; /* use pre_req as register to record            passage of a cycle */         valid_pre_req <= pre_req &&valid;      end  end

The HLHDL produced by OVA Compiler can be converted into a gate-levelassumption representation by Design Compiler, or by a version of DesignCompiler from which some or all of its optimization procedures, for acircuit implementation, have been removed.

For the just-above-listed example Verilog, an example gate-levelassumption representation is shown in FIG. 2. FIG. 3 depicts suchgate-level assumption representation of FIG. 2 in dashed outline, andconnected to the first example verification system of FIG. 1 as it wouldbe if such gate-level assumption representation were being used as anassertion monitor of the environment. FIG. 3 also adds, to the firstexample verification system, assertion monitoring circuitry for theDUT/DUV.

FIG. 8 depicts the above-described first step in the context of anoverall verification system. Conversion of a property languagedescription of assumptions into a gate-level representation is depictedby those parts of the figure labeled 810 to 814. A similar process,represented in FIG. 8 by those parts of the diagram labeled 820 to 824,can be used to convert property language description of assertions intoa gate-level representation. For the DUT/DUV, FIG. 8 depicts (by thoseparts of the diagram labeled 802 to 804) conversion of an HLHDLdescription (802) into a gate-level representation (804) by anHLDL-to-gate-level compiler process (803). FIG. 8 refers to HLHDLrepresentations (in boxes 802, 812 and 822) as register-transfer level(or RTL) representations. Once the DUT/DUV, assumptions and assertionsare expressed in a common gate-level representation (indicated by boxes804, 814 and 824), such gate-level representations can be combined, foreither simulation or formal methods, by a Gate-Level Merger process(800) into a combined gate-level representation (801).

While FIG. 8 depicts all of the DUT/DUV, assumptions and assertionsbeing converted into a gate-level representation, alternative approachescan be used. For example, the DUT/DUV can be simulated at the HLHDL(also referred to as RTL) level.

Furthermore, while the present description focuses upon a gate-levelrepresentation where the gates are single-bit operators, gate-levelrepresentations, where the gates comprise word-level operators, can beused.

1.2 Second Step

Upon completion of the first step, the conversion process can continuein one of two ways (see decision point 701 of FIG. 7A), depending uponwhether verification by formal methods, or by simulation, is desired.

1.2.1 Formal Verification

For formal verification (see second step 702 of FIG. 7A), a single“formal-verification-output” is constructed, that combines theassumption-error-detecting gate-level assumption representation producedin the first step with assertion-monitoring circuitry for the DUT/DUV.The entire combination, of DUT/DUV, assertion monitor, assumptionmonitor (environment) and circuitry that produces theformal-verification-output, is input to a formal verifier. Dependingupon the construction of the circuitry that produces theformal-verification-output, the goal of the verifier is either to provethe formal-verification-output can never be Logic One (also referred toas a “true” value), or can never be Logic Zero (also referred to as a“false” value).

If it is desired to produce a formal-verification-output where the goalis to prove that it can never be Logic One, suchformal-verification-output can be constructed such that it is Logic Oneif and only if an assertion is violated by the DUT/DUV (e.g., “assertionerror” becomes Logic One) and it is not the case that the assumptionconstraints have ever been violated (e.g., “assumption error” is alwaysLogic Zero). Assuring that assumption constraints have never beenviolated can be modeled by feeding assumption error through arecirculating latch circuit before it is ANDed with assertion error.

An example gate-level circuit, that specifies aformal-verification-output output called “final error,” is shown in FIG.4. A design can be verified by proving that “final error” of FIG. 4 cannever be Logic One. As can be seen, “assumption error” is connected to arecirculating latch configuration.

As can also be seen, “final error” is an AND of the “assertion error”output and the NOT of the recirculating latch output. If the formalverifier can prove that an “assertion error” can occur, while neverviolating an assumption constraint, then the DUT/DUV designer needs tobe notified by asserting the “final error” output.

A variety of formal verifiers can be used. An example suitable formalverifier is presented in the following paper: “Formal PropertyVerification by Abstraction Refinement with Formal, Simulation andHybrid Engine,” by D. Wang, P-H. Ho, J. Long, J. Kukula, Y. Zhu, T. Maand R. Damiano, Proceedings of the Design Automation Conference, Jun.18–22, 2001, Las Vegas, Nev., USA, pages 35–40. Formal verifiers, alsoreferred to as symbolic model checkers, are also provided by thefollowing companies: Real Intent, Inc., Santa Clara, Calif.; JasperDesign Automation, Inc., Mountain View, Calif.; and InternationalBusiness Machines Corporation, Armonk, N.Y., with its “RuleBase FormalVerification Tool.”

In FIG. 8, such second step for formal verification is depicted by anassertion/assumption combiner process (840) and the resulting gate-levelrepresentation for formal verifier (841) that contains a singleformal-verification-output.

1.2.2 Simulation Verification

If the gate-level assumption representation of the first step is to beused to generate test data for driving the DUT/DUV, in a simulationverification approach, the second step (see second step 703 of FIG. 7A)is to convert such gate-level assumption representation into a hybridassumption representation that comprises:

-   -   i) the assumption pipelines as simulated circuit elements; and    -   ii) combinational constraints, referred to herein as “equivalent        combinational assumption constraints,” whose solution by a        conventional combinational constraint solver produces an output        behavior for the environment that is in accord with the        sequential assumption constraints.

During simulation, the assumption pipelines are simulated such that theyhold, at any point in the simulation, state information necessary for asolution of the equivalent combinational assumption constraints to be inaccord with the sequential assumption constraints. Also, duringsimulation, the equivalent combinational assumption constraints aresolved and such solutions provide data, for driving inputs to theDUT/DUV, that is in accordance with the specified sequential assumptionconstraints.

Combinational assumption constraints, if included within an input set ofassumption constraints for modeling an environment, can be implementedwith just the equivalent combinational assumption constraints aspect ofthe hybrid assumption representation.

The equivalent combinational assumption constraints are formed from aset of gates, referred to herein as the “augmented assumption gates.”The augmented assumption gates can be extracted by beginning at theassumption error output and finding a transitive fanin, where such faninstops under either of two conditions: reaching a register output,reaching an input to the DUT/DUV. The transitive fanin does not stopupon reaching an output of the DUT/DUV and, therefore, such fanincontinues until a register output, within the DUT/DUV, is reached. It isthe fact that the transitive fanin does not stop at a DUT/DUV outputthat can cause the augmented assumption gates to contain additionalgates in comparison to the assumption gates.

For the example of FIG. 3, such transitive fanin extracts, as theaugmented assumption gates, gates 300 and 301. If wire 312 of gate 300were an output of the DUT/DUV, rather than the input shown, thetransitive fanin would continue back into the internal circuitry of theDUT/DUV until its first layer of registers is reached.

The augmented assumption gates can be translated into equivalentcombinational assumption constraints, expressed in a symbolic form, asfollows: each gate's functionality is replaced by an appropriate logicaloperator; an input to a gate, from an output of a register within theDUT/DUV, is replaced by a state variable whose value is determined bythe value of its corresponding register output; and an input to a gate,connected to an input of the DUT/DUV, is converted into a randomvariable.

Another approach can be to translate the augmented assumption gates intoa BDD by any one of several known methods. As with translation tosymbolic form, an input to the BDD is a state variable where an input toa gate is connected to an output of a register within the DUT/DUV and aninput to the BDD is an RV where an input to a gate is connected to aninput of the DUT/DUV. Such BDD can then be input to a BDD constraintsolver. If such BDD constraint solver seeks solutions where all of itsBDD constraints are true, the BDD result of translating the augmentedassumption gates may be input to the constraint solver in complementedform.

Solving such equivalent combinational assumption constraints, in thecourse of a simulation, causes values to be assigned to their randomvariables that conform with the time-sequence-dependent rules of theinput sequential assumption constraints (such as the example OVA ruleshown above).

For the example of FIG. 3, the equivalent combinational assumptionconstraint solved is as follows:313&&314 && (!grant)==0

For the above-listed constraint, 313 and 314 are state variables (orSV's), whose values are given by the simulation, while “grant” is therandom variable (or RV) for which a combinational constraint solverfinds acceptable values.

In FIG. 8, a second step for simulation verification is depicted by aGate-Level Extractor process (830) that produces equivalentcombinational assumption constraints (831) and a gate-levelrepresentation (832) for simulation.

2. Conversion With Deadend Avoidance

For certain sets of sequential assumption constraints, the equivalentcombinational assumption constraints determined for them, as describedabove, are not sufficient to insure the random variables are alwaysassigned with values that conform with the time-sequence-dependentnature of the sequential assumption constraints. A state of theenvironment, in which at least one of the input assumption constraintsthat model the environment is violated, is referred to herein as a“deadend” state.

The following is an example of such a sequential assumption constraintset written in OVA:If (x==1) then (#2 y==1);If (z==1) then (#1 y==0);

A second example verification system, having example connections betweenan environment operating according to the just-above OVA constraint setand a DUT/DUV, is shown in FIG. 5. Example Verilog, that can begenerated for each of the above rules by OVA Compiler, is as follows:

/* Verilog for If (x==1) then (#2 y==1); */ assign err = pre_pre_x &&!y; always @(posedge clk or posedge reset) begin    If(reset) begin       pre_x <= 0;        pre_pre_x <= 0;    end        else begin          pre_x <= x;           pre_pre_x <= pre_x ;        end    end   /* Verilog for If (z==1) then (#1 y==0); */    assign err = pre_z &&y;    always @(posedge clk or posedge reset) begin       If(reset) begin          pre_z <= 0;       end       else begin           pre_z <= z;      end    end

An example gate-level assumption representation, that can be generatedfor the above Verilog from Design Compiler, is depicted in dashedoutline in FIG. 6. The gate-level assumption representation is shownconnected to the second example verification system of FIG. 5 as itwould be if such gate-level assumption representation were being used asan assertion monitor of the environment. An equivalent combinationalassumption constraint, extracted from the example gate-level assumptionrepresentation, is as follows:(!y&&610)∥(y&&620)==0

Since, for this example, “x,” “y,” and “z” are all outputs of theenvironment, all of these variables become RV's for the constraintsolver, but only “y” appears in the equivalent combinational assumptionconstraint. Therefore, there is no constraint in the equivalentcombinational assumption constraint set preventing RV “z” from beingassigned a value of Logic One, by the constraint solver, one cycle afterRV “x” is assigned a Logic One value. Such time-ordered assignment ofvalues to “x” and “z” results, however, in an insolvable conflictsituation where, for either value of “y,” the equivalent combinationalassumption constraint is violated. Such a state, in which at least oneequivalent combinational assumption constraint is violated, is referredto herein as a “deadend” state.

Presented herein is a method for identifying deadend states and foraugmenting the equivalent combinational assumption constraint set suchthat transitions into deadend states are avoided (see FIG. 7B, which isan expansion of step 704 of FIG. 7A). Within the overall verificationprocess of FIG. 8, such process for augmenting the equivalentcombinational assumption constraint set is performed by the Gate-LevelExtractor process (830).

2.1 Fail Function

A “fail function” F(ŝ,{circumflex over (x)}) is determined, from theassumption gates, where ŝ is a state of the assumption pipeline and{circumflex over (x)} is the set of all inputs to the gate-levelassumption representation (see step 710 of FIG. 7B). F(ŝ,{circumflexover (x)}) returns a Logic One if and only if the input ŝ and{circumflex over (x)} would produce an invalid transition. For thesecond example verification system of FIG. 6, ŝ is 610, 611 and 620,while {circumflex over (x)} is “x,” “y” and “z.” The fail function forFIG. 6 is comprised of gates 600, 601 and 630 and can be representedsymbolically as follows:F(ŝ,{circumflex over (x)})=(!y&&610)∥(y&&620)

Since the assumptions for a DUT/DUV can be complex, in terms of thenumber of state bits and/or inputs, it can be desirable to expressF(ŝ,{circumflex over (x)}) in a compact representation, such as a binarydecision diagram (BDD).

2.2 Deadend States Set

Using mathematical set notation, the set of deadend states, D₀, can beexpressed in terms of F(ŝ,{circumflex over (x)}) as follows (see step711 of FIG. 7B):D ₀ ={ŝ|∀ _({circumflex over (x)}) F(ŝ,{circumflex over (x)})=1}

Thus, deadend states are those states that, for all possible inputcombinations, have no legal transitions. Since {circumflex over (x)} isuniversally quantified out of F(ŝ,{circumflex over (x)}), D₀ is solelyin terms of ŝ. Therefore, D₀(ŝ) returns Logic One only when given adeadend state as an argument. In terms of pseudo-code, that processesBDDs, the determination of D₀ can be expressed as follows:D=BDD_FORALL(a_inputs, F(a_states, a_inputs))

Where “BDD_FORALL” is a two-argument function that performs universalquantification, “a_inputs” corresponds to {circumflex over (x)},“a_states” corresponds to ŝ and F(a_states,a_inputs) corresponds toF(ŝ,{circumflex over (x)}). BDD_FORALL universally quantifies, from thefunction F(a_states, a_inputs), the set of inputs specified by a_inputs.

2.3 Augmented Deadend States Set

This section discusses production of an augmented deadend states set(see step 713 of FIG. 7B). If the DUT/DUV has a signal that drives theenvironment (“yes” path of decision point 712 of FIG. 7B), and istherefore not under the environment's control, it may be desirable todetermine a strongly augmented deadend states set (see step 714 of FIG.7B). Determination of such strongly augmented deadend states set iscovered below in Section 3. As can be seen from FIG. 7B, regardless ofwhether an augmented or strongly augmented deadend states set isdetermined, the remaining steps for deadend state avoidance (see steps715–718 of FIG. 7B) are the same.

Augmenting D₀ means adding to it all those states that, while having atleast one valid transition, lead inexorably to a deadend state. Thisset, referred to as D(ŝ), can be determined as a stepwise, backward,fixed-point determination. In mathematical set notation, the fixed-pointdetermination can be expressed as follows:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∀ _({circumflex over (x)})∃_(ŝ′)N(ŝ,{circumflex over (x)},ŝ′)==1&&(D _(k)(ŝ)|_(ŝ→ŝ′))==1}

Where N(ŝ,{circumflex over (x)},ŝ′) is a characteristic function, of astate transition relation, that is defined to return Logic One when, fora particular assumption environment, a present state of ŝ and an inputof {circumflex over (x)} leads to a next state of ŝ′. As can be seenabove, the right-hand-side expression to the union operator provides astate ŝ for extending D_(k)(ŝ) if, for all inputs {circumflex over (x)},there exists a state ŝ′, where ŝ′ is a member of D_(k)(ŝ), such that ŝ,{circumflex over (x)} and ŝ′ are a valid transition.

N(ŝ,{circumflex over (x)},ŝ′) can be formed as follows from a particulargate-level assumption representation. For each register bit of ŝ′, thelogic gate network of its transitive fanin, terminating at a registerbit-line of ŝ or an input bit-line of {circumflex over (x)}, isdetermined. The logic network is converted into an equivalent Booleanlogic expression that is then equated with the register bit of ŝ′. Forall bits in ŝ′, the equations are ANDed together to form N(ŝ,{circumflexover (x)},ŝ′). For the second example verification system of FIG. 6,N(ŝ,{circumflex over (x)},ŝ′) can be expressed symbolically as follows:N(ŝ,{circumflex over (x)},ŝ′)=610′==611&&611′==“x”&&620′==“z”

In terms of pseudo-code that processes a BDD representation of D₀ andN(ŝ,{circumflex over (x)},ŝ′), the backward fixed-point determinationcan be expressed as follows:

D_(prev) = Ø; while (D != D_(prev)) {     D_(prev) = D;     TMP =INEVITABLE(D)     D = BDD_OR(TMP, D); }  INEVITABLE( D(a_states) ) =     BDD_FORALL(a_inputs,        BDD_EXIST(a_nstates,           BDD_AND(N(a_states,a_inputs,           a_nstates),             BDD_SUBSTITUTE(a_states,              a_nstates,D(a_states) )           )        )      )

The above “while” loop begins with D set to D₀ and iterates as long as avalue for D_(prev) (i.e., a D_(k−1)(ŝ)) is not equal to a value for D(i.e., a D_(k)(ŝ)). The states representing a next step backwards, froma D_(k)(ŝ), are returned in BDD form by an “INEVITABLE” procedure andassigned to a variable “TMP.” The procedure “BDD_OR” then performs theunion of the sets of “TMP” and “D” to produce D_(k+1)(ŝ).

The “INEVITABLE” procedure is a pseudo-code version of theabove-discussed right-hand-side expression to the union operator. The“INEVITABLE” procedure uses a BDD expression “N” for N(ŝ,{circumflexover (x)},ŝ′), where “N” has been determined for the assumptionscurrently being processed. For “N,” a_states corresponds to ŝ, a_inputscorresponds to {circumflex over (x)} and a_nstates corresponds to ŝ′.

While BDD_FORALL has been discussed above, the pseudo-code proceduresBDD_EXIST, BDD_AND and BDD_SUBSTITUTE operate as follows. BDD_EXISTexistentially quantifies, from the BDD of its second argument, thevariables (in this case a_nstates) of its first argument. BDD_ANDreturns a BDD that is the AND (or intersection) of the sets representedby each of its BDD arguments. BDD_SUBSTITUTE performs the followingvariable-name substitution in the BDD of its third argument: variablesin the BDD specified by the first argument are replaced by thecorresponding variables of the second argument.

2.4 Reachable States Set

While the above procedure results in a set D containing all states thatare either deadend states, or that lead inevitably to deadend states,some of the states in D may not be reachable from the initial states ofthe environment. With R₀(ŝ) defined as the set of initial states of theenvironment, we define a set R_(k+1)(ŝ) to be the set of all statesreachable in one transition from R_(k)(ŝ) and R(ŝ) to be the set of allstates reachable from R₀(ŝ). R₀(ŝ) is defined as the set of initialstates of the environment monitor, that can be, for example, the statein which all registers of the monitor contain zero.

R(ŝ) can be determined as a stepwise, forward, fixed-pointdetermination. In mathematical set notation, this fixed-pointdetermination can be expressed as follows (see step 715 of FIG. 7B):R _(k+1)(ŝ)=R _(k)(ŝ)∪{ŝ|(∃_({circumflex over (x)})∃_(ŝ) N(ŝ,{circumflexover (x)},ŝ′)==1&&R _(k)(ŝ)==1)|_(ŝ′→ŝ)}

As can be seen above, the right-hand-side expression to the unionoperator provides a state ŝ for extending R_(k)(ŝ) if there exists aninput {circumflex over (x)} and a state ŝ, where ŝ is a member ofR_(k)(ŝ), such that ŝ, {circumflex over (x)} and ŝ′ are a validtransition. In terms of pseudo-code that processes BDDs, the forwardfixed-point determination can be expressed as follows:

R_(prev) = Ø; while (R != R_(prev)) {     R_(prev) = R;     TMP =REACHABLE(R)     R = BDD_OR(TMP, R); } REACHABLE ( R(a_states) ) =BDD_SUBSTITUTE(a_nstates, a_states,     BDD_EXIST(a_inputs,       BDD_EXIST(a_states,           BDD_AND( R(a_states),               N(a_states,a_inputs,                a_nstates)             )          )       )    )

The above “while” loop begins with R set to R₀ and iterates as long as avalue for R_(prev) (i.e., a R_(k−1)(ŝ)) is not equal to a value for R(i.e., a R_(k)(ŝ)). The states representing a next step forward, from aR_(k)(ŝ), are returned in BDD form by a “REACHABLE” procedure andassigned to a variable “TMP.” The procedure “BDD_OR” then performs theunion of the sets of “TMP” and “R” to produce R_(k+1)(ŝ).

The “REACHABLE” procedure is a pseudo-code version of theabove-discussed right-hand-side expression to the union operator.

2.5 Reachable Deadend States Set

The set of reachable deadend states, referred to as RD(ŝ), is theintersection of the sets R(ŝ) and D(ŝ) (see step 716 of FIG. 7B). Inpseudo-code, this can be expressed as follows:RD=BDD_AND(R,D)

Reducing D(ŝ) to RD(ŝ) is an efficiency technique, and use of D(ŝ) inthe below steps will still result in functionally correct results.

2.6 Fail Function Augmented for Deadend Avoidance

An augmented fail function “F” with deadend avoidance, referred to asF^(da), can be determined from the above determined relationN(ŝ,{circumflex over (x)},ŝ′) and set RD(ŝ) (see step 717 of FIG. 7B).In mathematical set notation, determination of F^(da) can be describedas follows:F ^(da)(ŝ,{circumflex over (x)})=∃_(ŝ′)(N(ŝ,{circumflex over(x)},ŝ′)==1&&(RD(ŝ)|_(ŝ→ŝ′))==1)

F^(da)(ŝ,{circumflex over (x)}) contains the set of present state andinput pairs such that there exists a next state, but the next state iseither a deadend state or leads inexorably to a deadend state. In termsof pseudo-code processing BDDs, determination of F^(da)(ŝ,{circumflexover (x)}) can be expressed as follows:

F_WITH_DA ( RD(a_states) ) = BDD_EXISTS(a_nstates,    BDD_AND(N(a_states, a_inputs, a_nstates),       BDD_SUBSTITUTE(a_states,a_nstates,       RD(a_states) )    ) )2.7 Augmented Equivalent Combinational Assumption Constraints

F^(da)(ŝ,{circumflex over (x)}) can be used to form the followingconstraint, that augments the equivalent combinational assumptionconstraints (see step 718 of FIG. 7B):F ^(da)(ŝ,{circumflex over (x)})==0

For the second example verification system of FIG. 6, the augmentedequivalent combinational assumption constraint set can be expressed asfollows:((!y&&610)∥(y&&620))==0F ^(da)(ŝ,{circumflex over (x)})==0

Depending upon the constraint solver, an alternate format, for theaugmented equivalent combinational assumption constraints, is to findsolutions where all of the following expressions return a value of LogicOne:!((!y&&x2)∥(y&&z1))!F^(da)(ŝ,{circumflex over (x)})

Expressed in terms of pseudo-code, that returns a BDD for a constraintsolver, the constraint can be determined as follows:BDD_NOT(F_WITH_DA(RD))

Where “BDD_NOT” returns a BDD that is the inverse of its BDD argument.

3. Conversion With Strong Deadend Avoidance

The above method for deadend avoidance is sufficient if, as shown in theexample of FIG. 6, the environment receives no inputs from the DUT/DUV.However, if the environment is subject to variables not under itscontrol, stronger deadend avoidance constraints may be needed.

In this case, the deadend avoidance method of above can have itsaugmented deadend states set determined as follows:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∃ _(xout)∀_(xin)∃_(ŝ′) N(ŝ,xout,xin, ŝ′)==1&&(D_(k)(ŝ)|_(ŝ→ŝ′))==1}

Where N(ŝ,xout,xin,ŝ′) differs from N(ŝ,{circumflex over (x)},ŝ′) bysplitting the {circumflex over (x)} into two parts: “xout,” which areoutputs of the DUT/DUV; and “xin” which are inputs to the DUT/DUV. Thedistinction is significant since the “xin” signals are under directcontrol of the environment while the “xout” signals are not. The aboveequation is stating that even if there is only one combination of “xout”signals that would cause a transition to a state already a member of aD_(k)(ŝ), the ŝ should be included in D_(k+1)(ŝ).

A potential problem with strong deadend avoidance, however, is thattesting of the design can become limited such that some design flaws mayno longer be detectable.

For example, consider the case where “z” of FIG. 6 is an output of theDUT/DUV and an input to the environment. In this case, no constraint canbe added, to the equivalent combinational assumption constraint set,that would prevent the “z” from being set to a Logic One value one cycleafter the “x” is set to a Logic One value.

4. Symbolic Example of Deadend State Avoidance

This section symbolically simulates operation of the above steps ofSection 2 (“Conversion With Deadend Avoidance”) upon the example of FIG.6.

As discussed above, for the example of FIG. 6, ŝ is 610, 611 and 620,while {circumflex over (x)} is “x,” “y” and “z.” For purposes of asymbolic example, 610, 611 and 620 are given the following alternativenames: x2, x1 and z1.

Symbolically, existential and universal quantification are accomplishedas follows. The expression, from which a variable to be quantified, isconverted into two forms: one form in which a value of Logic One issubstituted for the quantified variable and another in which a value ofLogic Zero is substituted. Then, for existential quantification, thelogical OR of the two forms is created while, for universalquantification, the logical AND is performed.

4.1 Fail Function

The “fail function” F(ŝ,{circumflex over (x)}) was already determinedabove and, with the new variable names for 610 and 620, it can beexpressed as follows:F(ŝ,{circumflex over (x)})=(!y&&x2)∥(y&&z1)4.2 Deadend States Set

The set of deadend states, D₀, can be expressed in terms ofF(ŝ,{circumflex over (x)}) as follows:D ₀ ={ŝ|∀ _({circumflex over (x)}) F(ŝ,{circumflex over (x)})=1}D ₀ ={ŝ|∀ _(x)∀_(y)∀_(z)(!y&&x2)∥(y&&z1)}D ₀ ={ŝ|∀ _(x)∀_(y)(!y&&x2)∥(y&&z1)}D ₀ ={ŝ|∀ _(x)(x2&&z1)}D ₀ ={ŝ|( x2&&z1)}4.3 Augmented Deadend States Set

Next, D(ŝ) can be determined as a stepwise, backward, fixed-pointdetermination from D₀ using the following formula:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∀ _({circumflex over (x)})∃_(ŝ′)N(ŝ,{circumflex over (x)},ŝ′)==1&&(D _(k)(ŝ)|_(ŝ→ŝ′))==1}

N(ŝ,{circumflex over (x)},ŝ′) was already determined above for FIG. 6and, expressed in terms of the new names for 610, 611 and 620, it can beexpressed as follows:N(ŝ,{circumflex over (x)},ŝ′)=(x2′==x1)&&(x1′==x)&&(z1′==z)

The determination of D₁ can be expressed as follows:D ₁ =D ₀ ∪{ŝ|∀ _({circumflex over (x)})∃_(ŝ′) N(ŝ,{circumflex over(x)},ŝ′)==1&&(D ₀|_(ŝ→ŝ′))==1}D ₁=(x2&&z1)∪{ŝ|∀_(x)∀_(y)∀_(z)∃_(x1′)∃_(x2′)∃_(z1′)((x2′==x1)&&(x1′==x)&&(z1′==z))&&((x2&&z1)|_(ŝ→ŝ′))}D ₁=(x2&&z1)∪{ŝ|∀_(x)∀_(y)∀_(z)∃_(x1′)∃_(x2′)∃_(z1′)((x2==x1)&&(x1′==x)&&(z1′==z))&&(x2′&&z1′)}D₁=(x2&&z1)∪{ŝ|∀_(x)∀_(y)∀_(z)∃_(x1′)∃_(x2′)((x2′==x1)&&(x1′==x)&&z)&&x2′}D ₁=(x2&&z1)∪{ŝ|∀ _(x)∀_(y)∀_(z)∃_(x1′)(x1&&(x1′==x)&&z)}D ₁=(x2&&z1)∪{ŝ|∀_(x)∀_(y)∀_(z)(x1&&z}D ₁=(x2&&z1)∪{ŝ|∀_(x)∀_(y)(Ø)}D ₁=(x2&&z1)∪{ŝ|Ø}

Since a fixed point has been reached, D(ŝ) has been found to be(x2&&z1).

4.4 Reachable States Set

With R₀(ŝ) defined as the set of initial states of the environmentmonitor, for purposes of this example, the initial state can be definedas all registers containing zero and therefore can be expressedsymbolically as:R ₀(ŝ)=!x1&&!x2&&!z1

R(ŝ) can be determined as a stepwise, forward, fixed-point determinationwith the following formula:R _(k+1)(ŝ)=R _(k)(ŝ)∪{ŝ(∃_({circumflex over (x)})∃_(ŝ) N(ŝ,{circumflexover (x)},ŝ′)==1&&R _(k)(ŝ)==1)|_(ŝ′→ŝ)}

The determination of R₁ can be expressed as follows:R ₁ =R ₀ ∪{ŝ|(∃_({circumflex over (x)})∃_(ŝ) N(ŝ,{circumflex over(x)},ŝ′)==1&&R ₀)|_(ŝ′→ŝ)}R₁=(!x1&&!x2&&!z1)∪{ŝ(∃_(x)∃_(y)∃_(z)∃_(x1)∃_(x2)∃_(z1)(x2==x1)&&(x1′==x)&&(z1′==z)&&(!x1&&!x2&&!z1))|_(ŝ→ŝ′)}R₁=(!x1&&!x2&&!z1)∪{ŝ|(∃_(x)∃_(y)∃_(z)∃_(x1)∃_(x2)(x2′==x1)&&(x1′==x)&&(z1′==z)&&(!x1&&!x2))|_(ŝ→ŝ′)}R₁=(!x1&&!x2&&!z1)∪{ŝ|(∃_(x)∃_(y)∃_(z)∃_(x1)(x2′==x1)&&(x1′==x)&&(z1′==z)&&!x1)|_(ŝ→ŝ′)}R ₁=(!x1&&!x2&&!z1)∪{ŝ|(∃_(x)∃_(y)∃_(z)!x2′&&(x1′==x)&&(z′==z))|_(ŝ→ŝ′})R ₁=(!x1&&!x2&&!z1)∪{ŝ|(∃_(x)∃_(y) !x2′&&(x1′==x))|_(ŝ→ŝ′)}R ₁=(!x1&&!x2&&!z1)∪{ŝ|(∃_(x) !x2′&&(x1′==x))|_(ŝ→ŝ′)}R ₁=(!x1&&!x2&&!z1)∪{ŝ|(!x2′)|_(ŝ→ŝ′)}R ₁=(!x1&&!x2&&!z1)∪!x2R₁=!x2

Since a fixed point has not been reached, the determination of R₂ can beexpressed as follows:R ₂ =R ₁ ∪{ŝ|(∃_({circumflex over (x)})∃_(ŝ) N(ŝ,{circumflex over(x)},ŝ′)==1&&R ₁)|_(ŝ′→ŝ)}R₂=(!x2)∪{ŝ|(∃_(x)∃_(y)∃_(z)∃_(x1)∃_(x2)∃_(z1)(x2′==x1)&&(x1′==x)&&(z1′==z)&&(!x2))|_(ŝ→ŝ′)}R₂=(!x2)∪{ŝ|(∃_(x)∃_(y)∃_(z)∃_(x1)∃_(x2)(x2′==x1)&&(x1′==x)&&(z1′==z)&&(!x2))|_(ŝ→ŝ′)}R₂=(!x2)∪{ŝ|(∃_(x)∃_(y)∃_(z)∃_(x1)(x2′==x1)&&(x1′==x)&&(z1′==z))|_(ŝ→ŝ′)}R ₂=(!x2)∪{ŝ|(∃_(x)∃_(y)∃_(z)(x1′==x)&&(z1′==z))|_(ŝ→ŝ′)}R ₂=(!x2)∪{ŝ|(∃_(x)∃_(y)(x1′==x))|_(ŝ→ŝ′)}R ₂=(!x2)∪{ŝ|(∃_(x)(x1′==x))|_(ŝ→ŝ′)}R ₂=(!x2)∪{ŝ|(TRUE)|_(ŝ→ŝ′)}R ₂=(!x2)∪TRUER₂=TRUE

We have reached a fixed point indicating that all states of theenvironment monitor are reachable in two steps.

4.5 Reachable Deadend States Set

The set of reachable deadend states, referred to as RD(ŝ), is theintersection of the sets R(ŝ) and D(ŝ). This can be determinedsymbolically as follows:RD(ŝ)=TRUE&&x2&&z1=x2&&z14.6 Fail Function Augmented for Deadend Avoidance

The augmented fail function F^(da) can be determined from the abovedetermined sets N(ŝ,{circumflex over (x)},ŝ′) and RD(ŝ). In mathematicalset notation, determination of F^(da) can be described as follows:F ^(da)(ŝ,{circumflex over (x)})=∃_(ŝ′)(N(ŝ,{circumflex over(x)},ŝ′)==1&&(RD(ŝ)|_(ŝ→ŝ′)==)1)F ^(da)(ŝ,{circumflex over(x)})=∃_(x1′)∃_(x2′)∃_(z1′)(((x2′==x1)&&(x1′==x)&&(z1′==z))&&((x2&&z1)|_(ŝ→ŝ′)))F ^(da)(ŝ,{circumflex over(x)})=∃_(x1′)∃_(x2′)∃_(z1′)(((x2′==x1)&&(x1′==x)&&(z1′==z))&&(x2′&&z1′))F ^(da)(ŝ,{circumflex over(x)})=∃_(x1′)∃_(x2′)(((x2′==x1)&&(x1′==x)&&z))&&x2′)F ^(da)(ŝ,{circumflex over (x)})=∃_(x1′)(x1′==x)&&z)F ^(da)(ŝ,{circumflex over (x)})=(x1&&z)4.7 Augmented Equivalent Combinational Assumption Constraints

F^(da)(ŝ,{circumflex over (x)}) can be used to form a constraint, thatcreates the following augmented equivalent combinational assumptionconstraints:((!y&&x2)∥(y&&z1))==0(x1&&z)==0

Alternatively, the augmented equivalent combinational assumptionconstraints can be expressed as follows, where RV values must be foundsuch that all the expressions evaluate to Logic One:!((!y&&x2)∥(y&&z1))!(x1&&z)

As can be seen, the additional constraint does solve the conflictproblem since, if “x1” is Logic One, “z” must be assigned the valuezero.

5. Symbolic Example of Strong Deadend State Avoidance

This section symbolically simulates operation of the above steps ofSection 3 (“Conversion With Strong Deadend Avoidance”) upon the exampleof FIG. 6. As discussed above, the difference from non-strong deadendavoidance is in the backward, fixed point, determination of deadendstates.

For this example, we consider “z” to be a DUT/DUV output that istherefore not controllable by the environment but, in all otherrespects, the example is the same as that of FIG. 6. As discussed above,the determination of D(ŝ) can be accomplished by the following formula:D _(k+1)(ŝ)=D _(k)(ŝ)∪{ŝ|∃ _(xout)∀_(xin)∃_(ŝ′) N(ŝ,xout,xin,ŝ′)==1&&(D_(k)(ŝ)|_(ŝ→ŝ′))==1}

Determination of D₁(ŝ) from D₀(ŝ) is as follows:D ₁ =D ₀ ∪{ŝ|∃ _(xout)∀_(xin)∃_(ŝ′) N(ŝ,xout,xin,ŝ′)==1&&(D₀|_(ŝ→ŝ′))==1}D ₁=(x2&&z1)∪{ŝ|∃_(z)∀_(x)∀_(y)∃_(x2′)∃_(x1′)∃_(z1′)((x2′==x1)&&(x1′==x)&&(z1′==z))&&((x2&&z1)|_(ŝ→ŝ′))}D ₁=(x2&&z1)∪{ŝ|∃_(z)∀_(x)∀_(y)∃_(x2′)∃_(x1′)∃_(z1′)((x2′==x1)&&(x1′==x)&&(z1′==z))&&(x2′&&z1′)}

Since the above equation for D₁(ŝ) is identical to that which was solvedin Section 4.3 (“Augmented Deadend States Set”), except that “z” isexistentially quantified rather than universally quantified, thedetermination of D₁(ŝ) continues below at the point where x1′, x2′ andz1′ have been existentially quantified:D ₁=(x2&&z1)∪{ŝ|∃ _(z)∀_(x)∀_(y)(x1&&z)}D ₁=(x2&&z1)∪{ŝ|∃ _(z)∀_(x)(x1&&z)}D ₁=(x2&&z1)∪{ŝ|∃ _(z)(x1&&z)}D ₁=(x2&&z1)∪{ŝ|x1}D ₁=(x2&&z1)∥x1

Since a fixed point has not been reached in determining D₁(ŝ), D₂(ŝ) isdetermined as follows:D ₂ =D ₁ ∪{ŝ|∃ _(xout)∀_(xin)∃_(ŝ′) N(ŝ,xout,xin,ŝ′)==1&&(D₁|_(ŝ→ŝ′))==1}D ₂=((x2&&z1)∥x1)∪{ŝ|∃_(z)∀_(x)∀_(y)∃_(x2′)∃_(x1′)∃_(z1′)((x2′==x1)&&(x1′==x)&&(z1′==z))&&(((x2&&z1)∥x1)|_(ŝ→ŝ′))}D ₂=((x2&&z1)∥x1)∪{ŝ|∃_(z)∀_(x)∀_(y)∃_(x2′)∃_(x1′)∃_(z1′)((x2′==x1)&&(x1′==x)&&(z1′==z))&&((x2′&&z1′)∥x1′)}D ₂=((x2&&z1)∥x1)∪{ŝ|∃_(z)∀_(x)∀_(y)∃_(x2′)∃_(x1′)(x2′==x1)&&(x1′==x)&&((!z&&x1′)∥(z&&x2′)∥(z&&x1′))}D ₂=((x2&&z1)∥x1)∪{ŝ|∃ _(z)∀_(x)∀_(y)∃_(x2′)(x2′==x1)&&(x∥!x&&z&&x2′)}D ₂=((x2&&z1)∥x1)∪{ŝ|∃ _(z)∀_(x)∀_(y)(x1&&x)∥(x1&&!x&&z)∥(!x1&&x)}D ₂=((x2&&z1)∥x1)∪{ŝ|∃ _(z)∀_(x)(x1&&x)∥(x1&&!x&&z)∥(!x1&&x)}D ₂=((x2&&z1)∥x1)∪{ŝ|∃ _(z) FALSE}D ₂=((x2&&z1)∥x1)

Since D₂(ŝ) equals D₁(ŝ), a fixed point has been reached. Therefore,D(ŝ) equals D₁(ŝ). Since all states of the environment monitor arereachable from the initial state, RD(ŝ) equals D(ŝ).

The augmented fail function F^(da) can be determined from the abovedetermined sets N(ŝ,{circumflex over (x)},ŝ′) and RD(ŝ). In mathematicalset notation, determination of F^(da) can be described as follows:F ^(da)(ŝ,{circumflex over (x)})=∃_(ŝ′)(N(ŝ,{circumflex over(x)},ŝ′)==1&&(RD(ŝ)|_(ŝ→ŝ′))==1)F ^(da)(ŝ,{circumflex over(x)})=∃_(x2′)∃_(x1′)∃_(z1′)(((x2′==x1)&&(x1′==x)&&(z1′==z))&&(((x2&&z1)∥x1)|_(ŝ→ŝ′)))F ^(da)(ŝ,{circumflex over(x)})=∃_(x2′)∃_(x1′)∃_(z1′)(((x2′==x1)&&(x1′==x)&&(z1′==z))&&((x2′&&z1′)∥x1′))

It can be observed that the equation just-above is the same as one whichwas solved in this Section 5 while determining D₂(ŝ), except that in thedetermination of D₂(ŝ) there was also universal quantification. Usingthe result determined above for D₂(ŝ), up to the point where universalquantification was performed, leads to the following result forF^(da)(ŝ,{circumflex over (x)}):F ^(da)(ŝ,{circumflex over (x)})=((x1&&x)∥(x1&&!x&&z)∥(!x1&&x))F ^(da)(ŝ,{circumflex over (x)})=(x∥(x1&&!x&&z))

F^(da)(ŝ,{circumflex over (x)}) can be used to form a constraint, thatcreates the following augmented equivalent combinational assumptionconstraints:(!y&&x2)∥(y&&z1)==0(x∥(x1&&!x&&z))==0

Depending upon the constraint solver, an alternate format, for theaugmented equivalent combinational assumption constraints, is to findsolutions where all of the following expressions return a value of LogicOne:!((!y&&x2)∥(y&&z1))!(x∥(x1&&!x&&z))

The expression !(x∥(x1&&!x&&z)) can be re-written as (!x&&(!x1∥x∥!z))that can be simplified to (!x&&(!x1∥!z)). The only RV, of(!x&&(!x1∥!z)), is “x,” and finding a Logic One value for the expressionrequires always assigning a value of zero to “x.”

Since strong deadend avoidance assumes no knowledge of the DUT/DUVoutput (meaning any value is possible), the result of applying suchstrong deadend avoidance (for the above example) is input “x” beingconstrained to a constant value of Logic Zero. This may lead, however,to avoiding the detection of design errors since, for example, there maybe certain design errors that can only be discovered if “x” is set to aLogic One.

Knowledge of DUT/DUV structure can be used in formulating deadendavoidance constraints, but such avoidance can also lead to design errorsnot being detected. For example, assume in the previous example, that ifthe DUT/DUV is operating correctly, its “z” output is a Logic Zero inresponse to “x” being a Logic One. Assume, however, that the DUT/DUVcontains a design error that causes “z” to be Logic One in response to“x” being Logic One. A deadend avoidance algorithm, incorporating sucherroneous DUT/DUV design knowledge, would produce a constraint fixing“x” to a Logic Zero and the erroneous operation of the “z” output wouldnever be stimulated to occur.

As an alternative to the DUT/DUV structure itself, a referencespecification for the DUT/DUV (also known as a golden reference) can beused to predict its behavior. A problem with the use of such a referencespecification is that it may not be available or may not be in a formsuitable for deadend avoidance analysis. Assertions can be used as apartial reference specification to reduce, relative to strong deadendavoidance, the likelihood of design errors not being detected.

6. Hardware Environment

The sequential constraint solving architecture of the present inventioncan be executed within a computing environment (or data processingsystem) such as that of FIG. 9. FIG. 9 depicts a workstation computer1600 comprising a Central Processing Unit (CPU) 1601 (or otherappropriate processor or processors) and a memory 1602. Memory 1602 hasa portion of its memory 1603 in which are stored the software tools (orcomputer programs) and data of the present invention. While memory 1603is depicted as a single region, those of ordinary skill in the art willappreciate that, in fact, such software and data may be distributed overseveral memory regions or several computers. Furthermore, depending uponthe computer's memory organization (such as virtual memory), memory 1602may comprise several types of memory (including cache, random accessmemory, hard disk and networked file server). Computer 1600 can beequipped with a display monitor 1605, a mouse pointing device 1604 and akeyboard 1606 to provide interactivity between the software of thepresent invention and the chip designer. Computer 1600 also includes away of reading computer readable instructions from a computer readablemedium 1607, via a medium reader 1608, into the memory 1602. Computer1600 also includes a way of reading computer readable instructions viathe Internet (or other network) through network interface 1609.

In one embodiment, the processes for solving sequential constraints canbe implemented within software produced by Synopsys, Inc., of MountainView, Calif., USA. An example of such Synopsys software is Magellan.Magellan verifies a high-level specification of a circuit design, thathas typically been specified in Verilog or VHDL. Magellan provides twomain types of verification techniques: simulation (using the VCS HDLSimulator for a Verilog DUT/DUV or the Scirocco simulator for a VHDLDUT/DUV) or formal property verification.

In some embodiments, computer programs embodying the present inventionare stored in a computer readable medium, e.g. CD-ROM or DVD. In otherembodiments, the computer programs are embodied in an electromagneticcarrier wave. For example, the electromagnetic carrier wave may includethe programs being accessed over a network.

While the invention has been described in conjunction with specificembodiments, it is evident that many alternatives, modifications andvariations will be apparent to those skilled in the art in light of theforegoing description. Accordingly, it is intended to embrace all suchalternatives, modifications and variations as fall within the spirit andscope of the appended claims and equivalents.

1. An electromagnetic waveform comprising a computer program, thecomputer program for performing simulation verification of arepresentation of an electronic design of an integrated circuit (IC),the computer program performing the following steps when executed by adata processing system: conversion, by logic synthesis, of declarativeassumption constraints, comprising at least one sequential assumptionconstraint, into a gate-level assumption representation; converting thegate-level assumption representation into a hybrid representationcomprising assumption pipelines and equivalent combinational assumptionconstraints.
 2. A method of performing simulation verification,comprising: conversion, by logic synthesis, of declarative assumptionconstraints, comprising at least one sequential assumption constraint,into a gate-level assumption representation; converting the gate-levelassumption representation into a representation comprising equivalentcombinational assumption constraints.
 3. The method of claim 2, whereinthe step of conversion by logic synthesis further comprises thefollowing steps: conversion of declarative assumption constraints,comprising at least one sequential assumption constraint, into an HLHDL(High-Level Hardware Description Language) representation; andconversion of the HLHDL representation into a gate-level representation.4. The method of claim 2, wherein the step of converting the gate-levelassumption representation further comprises the following step:identifying deadend states.
 5. The method of claim 4, wherein the stepof identifying deadend states comprises the following step: determininga deadend states set from a fail function.
 6. The method of claim 4,wherein the step of identifying deadend states comprises the followingstep: determining an augmented deadend states set backward from adeadend states set until a fixed point is reached.
 7. The method ofclaim 6, wherein the step of determining an augmented deadend states setcomprises the following step: existential quantification of a variablerepresenting an output from a design under test or verification to anenvironment.
 8. The method of claim 4, further comprising the followingstep: augmenting the equivalent combinational assumption constraintssuch that the deadend states are avoided.
 9. The method of claim 2,wherein the step of converting the gate-level assumption representationfurther comprises the following step: determining a fail function fromassumption gates.
 10. The method of claim 2, wherein the step ofconverting the gate-level assumption representation further comprisesthe following step: determining a reachable states set.
 11. The methodof claim 2, wherein the step of converting the gate-level assumptionrepresentation further comprises the following step: determining a validtransition function by identifying a type of transitive fanin of aregister bit of an assumption pipeline.
 12. The method of claim 2,wherein the step of converting the gate-level assumption representationfurther comprises the following step: determining an augmented failfunction using a valid transition function and a set of deadend states.13. The method of claim 12, further comprising the following step:augmenting the equivalent combinational assumption constraints with aconstraint based upon the augmented fail function.
 14. The method ofclaim 2, wherein the step of converting the gate-level assumptionrepresentation further comprises the following step: identifyingaugmented assumption gates, as a type of transitive fanin, starting froman assumption error output.
 15. The method of claim 2, wherein therepresentation comprising equivalent combinational assumptionconstraints is a hybrid representation also comprising an assumptionpipeline.
 16. An electromagnetic waveform comprising a computer program,the computer program for performing simulation verification, thecomputer program performing the following steps when executed by a dataprocessing system: conversion, by logic synthesis, of declarativeassumption constraints, comprising at least one sequential assumptionconstraint, into a gate-level assumption representation; and convertingthe gate-level assumption representation into a representationcomprising equivalent combinational assumption constraints.
 17. Acomputer program product comprising: a computer usable medium havingcomputer readable code embodied therein for performing simulationverification, the computer program product including: computer readableprogram code devices configured to cause a computer to effectconversion, by logic synthesis, of declarative assumption constraints,comprising at least one sequential assumption constraint, into agate-level assumption representation; and computer readable program codedevices configured to cause a computer to effect converting thegate-level assumption representation into a representation comprisingequivalent combinational assumption constraints.